Saturday, June 23, 2018

In another exposure of Aadhaar’s
cybersecurity weaknesses, over 70 subdomains under a Government of
India website are providing access to demographic-authentication
services without requiring
identity verification from the requester. The websites
allow users to access an application programming interface, or API,
in which anyone can enter a person’s Aadhaar number, name, gender
and date of birth, and be directed to a page that either reads “yes”
or displays an error message, indicating whether or not the
information corresponds to a valid entry in the Aadhaar database.
Providing such unrestricted access to this API raises major concerns
of privacy, and may be exploited by hackers seeking to uncover
people’s Aadhaar numbers. It also violates the Aadhaar Act, the
law governing India’s nationwide digital-identity programme.

Two security researchers—Srinivas
Kodali and Karan Saini—independently found the vulnerability and
reported it to relevant authorities.

A security researcher has figured out how to brute
force a passcode on any up-to-date iPhone
or iPad, bypassing the software's security mechanisms.

Since iOS 8 rolled
out in 2014, all iPhones and iPads have come with device
encryption. Often protected by a four- or six-digit passcode, a
hardware and software combination has made it nearly impossible to
break into an iPhone or iPad without cooperation from the device
owner.

And if the wrong passcode is entered too many
times, the device gets wiped.

But Matthew
Hickey, a security researcher and co-founder of cybersecurity
firm Hacker House,
found a way to bypass the 10-time limit and enter as many codes as he
wants -- even on iOS
11.3.

The FBI recently published its 2017
Internet Crime Report highlighting trends and statistics compiled
by the FBI’s Internet Crime Complaint Center (“IC3”) during
2017. The report compiles data from a total of 301,580 complaints
which reported losses of over $1.4 billion. In addition to an
explanation of the IC3’s history and operations, the report
includes five “hot topics” from 2017: business email compromise
(“BEC”), ransomware,
tech support fraud, extortion, and the Justice Department’s Elder
Justice Initiative.

But there are a couple of
things to know before toasting the Court’s high regard for privacy
in the digital age. The Roberts Court, building on what the
preceding Rehnquist Court did, has created an infrastructure for
Fourth Amendment law that makes it exceptionally easy for police to
do a search, even when a warrant is required. The law also makes it
exceptionally difficult for citizens to obtain close judicial
oversight, even when the police have violated the Constitution. As a
result of these background rules, even a decision as seemingly
important as Carpenter is unlikely to have any dramatic
effect on police practices.

It’s not just that our
digital privacy is insufficiently protected, in other words. It’s
that our Fourth Amendment rights and remedies in general have been
eroded.

You probably know that classic books are available
for free on sites like Project
Gutenberg. But Aisha goes the extra mile. She collects some of
the best book series in collections that you’ll find easy to
download and read. Go to “Series” section on Global Grey and
you’ll get an endless reading of free ebooks in collections.

It ticks all the right boxes: it’s
free, there aren’t any ads, and it boasts a vast number
of powerful features.

1. Merge and Split EPUB Ebooks

3. Turn Calibre Into a Sharing Server

If several members of your household have a
Kindle, or if you own multiple Kindles, continually syncing your data
manually quickly becomes tedious.

Instead, why not turn your Calibre app into a
content server? By doing so, you can make your entire Calibre library
available on all your devices. You can even upload new content to
your Calibre library from those devices.

5. Remove DRM From Ebooks

Calibre lets your wrestle back control of your
ebooks by offering a way to remove the DRM from titles you’ve
bought from Amazon
and other online stores.

The Beijing subway system plans to
introduce bio-recognition technology at stations this year to improve
transport efficiency and reduce costs, a senior manager said last
week.

Two bio-recognition technologies－facial
recognition and palm touch－are
being considered, said Zhang Huabing, head of enterprise development
for Beijing Subway, the operator of most lines in the city, during
the International Metro Transit Exhibition in Beijing on Thursday.

Thomas J. Prohaska reports a follow-up to a
situation I had mentioned on this site previously:

The New York Civil Liberties Union has
asked New York State education officials to revoke funding for a
project to install facial recognition software in Lockport schools.

The organization contends the Lockport
school district’s plan endangers the rights of students and
teachers.

In a letter Monday, the NYCLU asked the
state Education Department to cancel its approval of the $2.75
million project.

“It is alarming that Lockport’s
proposal for use of facial recognition technology was not subject to
further scrutiny due to its privacy implications and other civil
liberties concerns,” wrote John A. Curr III, NYCLU western region
director, and Stefanie D. Coyle, education counsel, to Education
Commissioner MaryEllen Elia.

… some 300 new surveillance cameras are to be
installed in 10 Lockport City School District buildings, along with
software that the vendor, SN Technologies of Canada, says will match
the faces seen by the cameras to lists of criminals,
sex offenders and other barred people. District officials
have mentioned noncustodial parents and suspended or expelled
students as others whose facial images could be included in the
software.

… Tony Olivo of Orchard Park, the district's
security consultant, listed by SN Technologies' website as a business
partner, told The Buffalo News in May that the software will detect
the presence of a person whose
photo is in the database of banned individuals 99.97
percent of the time, [Baloney!
Bob] if there are enough digital surveillance cameras to
get an accurate image.

Facial recognition software doesn't always work.
Studies have shown it works best on faces of white males, and doesn't
work well on women, people of color or children.

Is a collection worse than the uncollected
details? What if the intent isn’t innocent?

Sam Lavigne, who is reportedly
an adjunct professor at New York University as well as a digital
designer and developer, released a list of more than 1,500
Immigration and Customs Enforcement employees’ personal information
on Wednesday.

What are the details?

In a since-removed blog post on Medium,
“Lavigne wrote, ‘I’ve downloaded and made available the
profiles of (almost)
everyone on LinkedIn who works for ICE, 1,595 people in
total. While I don’t have a precise idea of what should be done
with this data set, I leave it here with the hope that researchers,
journalists, and activists will find it useful.’

Read more on The
Blaze. Most of the copies were reportedly removed, but this site
does not know if copies are still floating around somewhere.

So if this was publicly available info –
apparently voluntarily shared by people on LinkedIn, is this stalking
or doxxing or anything wrong? What if you suspect that the list was
created with the knowledge that some might use it to harass
individuals?

Where is the First Amendment line here? Justin
Shafer was prosecuted for much less.

Hotels like the Wynn Las Vegas and the
Marriott are installing Amazon listening devices in every room.

Two years ago, Geek Wire revealed
that the Wynn Las Vegas hotel installed Amazon Echo devices in all
their rooms:

You may soon be able to ask that question when traveling to the Wynn
Las Vegas hotel, which announced today that it will place Amazon’s
Echo device — powered by the voice assistant Alexa — in all 4,748
hotel rooms. Wynn Resorts called it an “industry first.”

Apple recently confirmed
the introduction of a new feature called “USB Restricted Mode” in
the latest version of the iPhone’s mobile operating system, iOS 12.
If enabled in the user’s settings, USB Restricted Mode will
disable data transfer from the iPhone over the Lightning cable once
the phone has been locked for an hour unless the phone’s password
is entered.

… law enforcement agents may try to use USB
Restricted Mode’s narrow one-hour time window as justification for
warrantless searches of iPhones they seize. The Fourth Amendment
generally requires a warrant in order for a police search of
someone’s property to be considered reasonable. But that
requirement is rife with exceptions. One exception is the “exigent
circumstances” doctrine. “‘[E]xigent circumstances,’
including the need to prevent the destruction of evidence, permit
police officers to conduct an otherwise permissible search without
first obtaining a warrant.” Kentucky v. King, 131 S. Ct.
1849, 1853-54 (2011).

“..Facebook’s new
screening policies to deter manipulation of political ads are
creating their own problems. The company’s human reviewers and
software algorithms are catching paid posts from legitimate news
organizations that mention issues or candidates, while overlooking
straightforwardly political posts from candidates and advocacy
groups. Participants in ProPublica’s
Facebook Political Ad Collector project have submitted 40 ads
that should have carried disclaimers under the social network’s
policy, but didn’t. Facebook
may have underestimated the difficulty of distinguishing between
political messages and political news coverage — and the
consternation that failing to do so would stir among news
organizations…”

(Related) It makes me wonder if they had some
“online abuse, harassment, spam, and security” they wanted to
hide.

Twitter today announced
it was acquiring the “trust and safety as a service” startup
Smyte to help it better
address issues related to online
abuse, harassment, spam, and security on its platform.
But it also decided to immediately shut down access to Smyte’s API
without warning, leaving Smyte’s existing customers no time to
transition to a new service provider.

The change left Smyte’s current customer base
stranded, with production issues related to the safety of their own
platforms.

… Customers got a phone call, and then –
boom – the service was gone. Clients had multi-year contracts in
some cases.

I starting to see some interesting/thoughtful
coverage of these “rent by the ride” vehicles. Start with this
nice overview.

The public reaction to the arrival of dockless
bikes and electric scooters in U.S. cities can be tracked in stages.
The first stage, for many, was annoyance.
Who were these grown men and women on candy-colored bikes and teeny
kick-scooters speeding down the streets and sidewalks, menacing
walkers and leaving their rented toys all over the place? Especially
in San Francisco, where this whimsical new mobility mode has taken
off, scooters have come to
represent yet another example of tech industry entitlement,
another way for a startup to move fast and break stuff.

… The second stage is epiphany,
when the reluctant first-time user—out of curiosity or journalistic
responsibility—actually tries a dockless bike or e-scooter and
realizes that they are not only a visual counterpoint to the bulk and
terror of cars, but a delightful and crazily practical alternative to
them.

That leads to stage three, if it comes: mass
adoption.

Call them Little Vehicles—not just bikes and
scooters, but e-bikes, velomobiles, motorized skateboards, unicycles,
“hoverboards,” and other small, battery-powered low-speed
not-a-cars. Nearly all of them look silly, but if cities take them
seriously, they could be a really, really big deal. Little Vehicles
could significantly erode private car and ride-hail use, and play a
key role in helping cities achieve their as of now unattainable
environmental and road safety goals.

Getting
to mass adoption will require Little Vehicles for all seasons, for
all sorts of trips, and for all
types of people.

Fast
enough to be declared a nuisance and kicked off the
streets of San Francisco and a handful of others cities to allow
local officials to mull regulations. And fast enough to draw big
investments to allow nimble
startups to reach billion-dollar valuations.

In the United States capital Washington, the
electric two-wheelers have become a fixture on city bike paths,
zipping along at speeds up to 25km per hour, sometimes veering onto
sidewalks despite warnings to the contrary.

… Most systems charge US$1 to unlock the
scooter and 15 cents per minute, so a 10-minute trip would cost
US$2.50.

A recent student project was to design an App to
replace physical ATMs. The App probably wouldn’t have this
vulnerability.

… We started as an education company and
thought of what we were doing as a
disruptive force against graduate education. The idea was
that if you could decrease the time [for education] and enhance the
relevancy of the skills you were teaching, you could dramatically
increase the return on investment and get individuals to invest in
their futures, as opposed to hoping that the government would
subsidize loans. It allowed us to exist outside of the accrediting
bodies and that whole incumbent system that was a lot like a taxi
limousine commission.

GarageBand has long been a useful tool to record
music, podcasts and more. Even better, the app is free to download
and use on your Mac or iOS
devices, making it easy to try. Recent updates
have brought enhancements like a portal for free sound packs and a
better drum sequencer (on mobile), along with Touch
Bar support and realistic-sounding drummers
on the desktop. Now, Apple is upgrading
its music creation suite yet again, offering
it's previously $5 artist piano and guitar lessons for free,
along with more additions to its drummers, loops and sound effects.

The Car Connectivity Consortium (CCC), an
organization that includes Apple, today announced the publication of
a new Digital Key Release 1.0
specification, which is a standardized solution designed to let
drivers download a digital vehicle key onto their smartphones.

… The new Digital Key specification, which
uses NFC, was developed to create a "robust ecosystem"
around interoperable digital key use cases. It will
let drivers lock, unlock, start the engine, and share access to
their cars using smart devices like the iPhone with reliable user
authentication methods.

“The National Security Archive’s Cyber Vault
Project is announcing the launch
of the CyberWar Map. This
resource is both a visualization of state-sponsored cyberattacks and
an index of Cyber Vault documents related to each topic (represented
as nodes on the map). Clicking on each node will reveal hyperlinks
and document descriptions. In some cases where key analysis was done
under copyright, the link will direct readers to sources external to
the National Security Archive. In a few other cases nodes do not yet
have documents to display. The CyberWar Map is a living research
aid: documents and nodes will be added on a regular basis. This is a
particularly useful way of presenting information related to cyber
actors, tools and incidents. The complexity of the field makes it
increasingly challenging to conceptualize a “bird’s eye view”
of the cyber-battlefield; therefore, the topic lends itself
especially well to a dynamic graphic representation.”

… Impact on E-Workplace and BYOD:
GDPR’s strict adherence to EU citizens privacy
protections impact US businesses directly and requires extremely
strict policies, which is sure to impact BYOD policies. For
instance, GDPR compliance may make certain employees have explicit
permission to process, control and contain data within particular
time frames. Not only this, but in order to adhere to GDPR,
companies may need to be strict enough to include emergency erasing
capabilities, GPS tracking, and thorough logging of all
communication.

Slated to launch next month is a service that
allows consumers to get answers to their legal questions by text for
a flat price of $20.

The service, called Text
A Lawyer, is modeled after ride-sharing service Uber in that it
uses two separate mobile apps, one for consumers to submit legal
questions and another for lawyers who are in a waiting pool ready to
give answers.

The goal, says founder Kevin
Gillespie, is to make it simple for low- and moderate-income
consumers to get answers to legal questions. Text-messaging is a
medium many are comfortable with, he says, and it has the added
advantage of providing both the consumer and lawyer with a transcript
of the Q&A.

… Consumers will pay $20 to submit a legal
question. After consumers open the app, it prompts them to select
the state in which they reside and the kind of lawyer they are
looking for (family, criminal, immigration, etc.). It then asks them
to describe their question in a few sentences. A final screen is a
conflicts check, asking the names of any alleged victims, adverse
parties and witnesses, and the consumer’s relationship to any of
these people.

Steven
Aftergood – Secrecy News Blog: “Military planners should not
anticipate that the United
States will ever dominate cyberspace, the Joint Chiefs of
Staff said in a new doctrinal publication. The kind of supremacy
that might be achievable in other domains is not a realistic option
in cyber operations. “Permanent global cyberspace superiority is
not possible due to the complexity of cyberspace,” the
DoD publication said. In fact, “Even local superiority may be
impractical due to the way IT [information technology] is
implemented; the fact US and other national governments do not
directly control large, privately owned portions of cyberspace; the
broad array of state and non-state actors; the low cost of entry; and
the rapid and unpredictable proliferation of technology.”
Nevertheless, the military has to make do under all circumstances.
“Commanders should be prepared to conduct operations under degraded
conditions in cyberspace.” This sober assessment appeared in a new
edition of Joint Publication 3-12, Cyberspace
Operations, dated June 8, 2018. (The 100-page document
updates and replaces a
70-page version from 2013.)…”

Hewlett Packard Enterprise on Tuesday unveiled a
new strategy it’s planning to spend $4 billion to pursue over the
next four years.

The company will invest that much in technology
and services to enable the intelligent edge, a catch-all phrase used
to describe the myriad of things like smart sensors and cameras or
devices that aggregate and process data they produce upstream in the
network, such as routers, gateways, or servers. What makes them
“edge” devices is their location at the source of the data rather
than in a big data center somewhere far away. What makes them
“intelligent” is the computing capacity and software to analyze
the data in near-real-time, as it’s being generated, and make
decisions based on insights gleaned from that analysis.

Bird electric scooters will not suspend its
operations in Indianapolis as
requested by the city in a letter sent Tuesday evening.

"We look forward to continuing to serve our
new Indy riders as we work with city leaders to create a regulatory
framework that works best for the people of Indianapolis and helps
them meet their goals," Bird spokesman Kenneth Baer said in a
statement sent to the IndyStar.

It also referenced an
ordinance currently pending approval of the City-County Council's
Public Works Committee that would make unlawful "a dockless
bicycle share or hire program on a street, roadway, or other
city-owned property or rights-of-way."

Housing A
Separated Migrant Child Costs The US More Than An Admiral’s BAH

To take a migrant child from her parents at a U.S.
point of entry, place her in a just-erected government tent city, and
keep her separated from family costs the federal government a
whopping $775 per child per night, according to the Department of
Health and Human Services — more than twice what it would cost to
house the children in detention with their families, and nearly six
times more than a brigadier general’s or rear admiral’s housing
allowance for New York City.

Burger King has apologized for an online ad
offering burgers to Russian women who get impregnated by soccer
players during the World
Cup the country is hosting until July 15. The promotion on the
global fast food chain's account on VK – a local rival of Facebook
– suggested Russia could benefit from some good "football
genes."

"As part of its social responsibility
(campaign), Burger King is offering a reward to women who get
impregnated by football stars," said Burger King.

"Every woman will get three million rubles
(around $45,000) and a lifetime's supply of Whopper burgers. Women
who manage to get the best football genes will ensure Russia's
success in future generations."

… "We apologise for our statement. It
turned out to be too offensive," Burger King said.

The ad appeared to be ineptly trying to poke fun
at an infamatory statement by a lawmakers who urged women not to have
sex with foreign fans.

A sophisticated hacking campaign launched from
computers in China burrowed deeply into satellite operators, defense
contractors and telecommunications companies in the United States and
southeast Asia, security researchers at Symantec Corp said on
Tuesday.

Symantec said the effort appeared to be driven by
national espionage goals, such as the interception of military and
civilian communications.

Such interception capabilities are rare but not
unheard of, and the researchers could not say what communications, if
any, were taken. More disturbingly in this case, the hackers
infected computers that controlled the satellites, so that they could
have changed the positions of the orbiting devices and disrupted data
traffic, Symantec said.

When you think of consequences of employees
clicking on phishing emails, did you ever think about how an entire
state government might wind up having their email domain blacklisted?
It happened to Oregon because oregon.gov was used to send out spam
after an employee clicked on a phishing email. Hillary Borrud
reports:

Oregon’s state technology workers are
scrambling to fix a problem that is preventing thousands of
government employees from corresponding with members of the public
via email.

Several private email providers have
blacklisted the state email domain Oregon.gov after a state employee
apparently clicked on a phishing email earlier this month that
allowed a hacker to access the state’s computer system.

“The malicious link hijacked the
state-owned PC and generated over eight million spam emails from an
Oregon.gov email address,” state officials wrote in an email
explaining the situation to employees on Friday.

Microsoft
CEO Satya Nadella downplayed his company’s work with U.S.
Immigration and Customs Enforcement in a company-wide email sent this
evening, saying that
Microsoft’s contract with ICE deals only with email, calendar, and
messaging—not with separating children from their
parents.

Nadella’s email came after more than 100
employees sent him an open
letter demanding that Microsoft cancel its $19.4 million contract
with ICE. In a January
blog post, Microsoft asserted that it was proud to work with ICE
and that it was providing
ICE with deep learning technology to aid with facial recognition.

But Microsoft executives are now claiming that its
ICE contract does not include facial recognition technology.

… However, Nadella stopped short of vowing to
cancel the ICE contract, as employees had requested in their
letter—nor did he explain why the company’s January blog post
claimed Microsoft offered facial recognition services to ICE.

11 States
Pull National Guard Off Border Missions To Protest Child Separations

Eleven US states have cancelled agreements to send
members of the National Guard to the US-Mexico border as part of a
growing backlash over the Trump administration’s policy of
separating migrant families trying to enter the US.

Initially three states — New York,
Massachusetts, and Colorado — pulled their forces from current or
planned deployments at the border, but they were soon joined by many
more.

… In an
executive order on Monday, John Hickenlooper, Democratic governor
for Colorado, barred state resources from being used to separate
immigrant families.

You’ve
Been Arrested. Will You Get Bail? Can You Pay It? It May All Depend
On Your Judge.

… not all judges in New York City treat bail
the same way. A FiveThirtyEight analysis of 105,581 cases handled by
The Legal Aid Society, the largest public defender organization in
New York, found that how much bail you owe — and whether you owe it
at all — can depend on who hears your case the day you’re
arraigned.

New York’s judges are assigned to arraignment
shifts, hearing every case that comes into the court during that
time. Because the assignments are random — judges hear cases
solely based on when people are arrested and how busy the court is —
we can identify whether defendants are being treated equally
regardless of who hears their case. They are not.

Computational Legal Studies: “Our next
paper — OpenEDGAR – Open Source Software for SEC
Edgar Analysis is now available.
This paper explores a range of #OpenSource tools we have developed
to explore the EDGAR
system operated by the US Securities and Exchange Commission (SEC).
While a range of more sophisticated extraction and clause
classification protocols can be developed leveraging LexNLP
and other open and closed source tools, we provide some very simple
code examples as an illustrative starting point.

Click here for Paper: < SSRN> < arXiv>
Access Codebase Here: < Github>Abstract:
OpenEDGAR
is an open source Python
framework designed to rapidly construct research databases
based on the Electronic Data Gathering, Analysis, and Retrieval
(EDGAR)
system operated by the US Securities and Exchange Commission (SEC).
OpenEDGAR is built on the Django application framework, supports
distributed compute across one or more servers, and includes
functionality to (i) retrieve and parse index and filing data from
EDGAR, (ii) build tables for key metadata like form type and filer,
(iii) retrieve, parse, and update CIK to ticker and industry
mappings, (iv) extract content and metadata from filing documents,
and (v) search filing document contents. OpenEDGAR is designed for
use in both academic research and industrial applications, and is
distributed under MIT License at
https://github.com/LexPredict/openedgar“

Software development isn’t just about writing
code. It’s also about what you do with that code — testing,
documenting, and proper source management. These skills are often
left by the wayside in the classroom.

GitHub wants to change that, and has announced
that it’s expanding GitHub
Education, and will begin offering it to all schools.

Previously, GitHub Education was offered to a
limited number of selected degree or certificate-granting educational
instutitions.

GitHub Education is a bundle of company’s tools
and training. It comes with free access to GitHub Enterprise or
Business Hosted, as well as teacher training for the platform via
GitHub Campus Advisors.

… Of course, GitHub isn’t the only source
management company targeting the education market. Earlier this
month, rival GitLab announced it was offering
its Ultimate and Gold packages to classroom customers.

Tuesday, June 19, 2018

Why users always fall for the lamest phishing
scams is beyond comprehension, but hackers take advantage of this
weakness and hide their scheming behind the usual fake prizes and
too-good-to-be-true giveaways. This time, it was Adidas’ turn to
feature in a major phishing
scam that targeted users in specific regions.

A fake Adidas campaign promising free shoes
instantly became popular through WhatsApp, and it’s not even the
first time such a phishing scheme was used this year. To celebrate
its 69th anniversary, the sports company was allegedly giving away
2,500 pairs of shoes to users who filled out a four-question survey.

All they had to do was click on a link to claim
the prize and share it on WhatsApp with their contacts

… No matter how many times users tried to
share the campaign, they had no way to confirm that the share
actually went through. It was just part of the scam. The very
detail that they couldn’t
choose color or size should have been a hint that it
wasn’t a legitimate campaign – either that or the
misspelled company name in the spoofed link.

Users were promised free sneakers in exchange for
$1 to claim them, but all they were left with was a recurring
$50-per-month subscription fee. Through the scam, hackers got access
to users’ payments and contact details. The subscription users are
automatically signed up for the “organizejobs” service, which has
been identified
as a scam.

'We do not
know when this is going to be fixed,' American says of CLT flight
problems

American Airlines struggled to recover Monday from
a recurring computer problem that left one of its key regional
carriers unable to fly to or from Charlotte Douglas International
Airport, stranding hundreds of passengers for the second time in a
week.

The problem, airline spokeswoman Katie Cody said,
traced back to the crew scheduling and tracking system at PSA
Airlines, a wholly-owned subsidiary that operates flights under the
American Eagle brand. The issue is with hardware at PSA's
headquarters in Dayton, Ohio, and it's left the carrier unable to get
flight crews and planes matched up. About 350 flights into and out
of Charlotte have been canceled since Sunday, Cody said.

… PSA canceled about 70 flights on Sunday, a
bit more than 10 percent of the total at Charlotte Douglas. A
similar number were planned to be canceled Monday night, Cody said.

For PSA, it was the second time in a week trouble
struck. A technical issue with the regional carrier caused more than
120 Charlotte flights to be canceled last week, on Thursday, and the
issue continued into Friday morning.

… The
outage indicates there might not be a backup software system for crew
scheduling at PSA, Harteveldt said. The problem also
appears to be bigger than American first realized, he said.

“This is apparently a more complex problem than
initially thought, and it could take several days, based on my
understanding, potentially even a week, to really fix this,” he
said.

A U.S. Department of Health and Human
Services Administrative Law Judge (ALJ) has ruled that The University
of Texas MD Anderson Cancer Center (MD Anderson) violated the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy
and Security Rules and granted summary judgment to the Office for
Civil Rights (OCR) on all issues, requiring MD Anderson to pay
$4,348,000 in civil money penalties to OCR. This is the second
summary judgment victory in OCR’s history of HIPAA enforcement and
the $4.3 million is the fourth largest amount ever awarded to OCR by
an ALJ or secured in a settlement for HIPAA violations.

MD Anderson is both a degree-granting
academic institution and a comprehensive cancer treatment and
research center located at the Texas Medical Center in Houston. OCR
investigated MD Anderson following three separate data breach reports
in 2012 and 2013 involving the theft of an unencrypted laptop from
the residence of an MD Anderson employee and the loss of two
unencrypted universal serial bus (USB) thumb drives containing the
unencrypted electronic protected health information (ePHI) of over
33,500 individuals. OCR’s investigation found that MD
Anderson had written encryption policies going as far back
as 2006 and that MD
Anderson’s own risk analyses had found that the lack of
device-level encryption posed a high risk to the security of ePHI.
Despite the encryption policies and high risk findings, MD Anderson
did not begin to adopt an enterprise-wide solution to implement
encryption of ePHI until 2011, and even then it failed to encrypt its
inventory of electronic devices containing ePHI between March 24,
2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and
findings and upheld OCR’s
penalties for each day of MD Anderson’s non-compliance
with HIPAA and for each record of individuals breached.

...

MD Anderson claimed that it was not
obligated to encrypt its devices, and asserted
that the ePHI at issue was for “research,” and thus was not
subject to HIPAA’s nondisclosure requirements. MD
Anderson further argued that HIPAA’s penalties were unreasonable.
The ALJ rejected each of these arguments and stated that MD
Anderson’s “dilatory conduct is shocking given the high risk to
its patients resulting from the unauthorized disclosure of ePHI,” a
risk that MD Anderson “not only recognized, but that it restated
many times.”

In a letter delivered to CEO Jeff Bezos late
Friday, the shareholders, many of whom are advocates of socially
responsible investing, say they're concerned about the privacy threat
of government surveillance from the tool.

Amazon's technology, called Rekognition and
introduced in 2016, detects objects and faces in images and videos.
Customers, which include law enforcement in Orlando, Florida and
Washington County, Oregon, can upload face databases to automatically
identify individuals.

… The shareholders, which include the Social
Equity Group and Northwest Coalition for Responsible Investment, are
joining groups such as the ACLU in efforts to stop the company
from selling the service — pointing out the risks of mass
surveillance.

… "We are concerned the technology would
be used to unfairly and disproportionately target and surveilpeople of color, immigrants, and civil society
organizations," the shareholders write. "We are concerned
sales may be expanded to foreign governments, including authoritarian
regimes."

In a blog post earlier this month, Matt Wood, a
general manager of artificial intelligence at Amazon Web Services,
said Amazon's policy prohibits the use of its service for activities
that are illegal, violate the rights of others, or may be harmful.

Plus ça change, plus
c'est la même chose. What else could you expect when the
“punishment” required a few days of pretending to be sorry and
moving to a new office.

Cambridge
Analytica staffers are on the job – working on 2020 campaign

Quartz:
“Hang on to your data, dear Facebook friends. Cambridge
Analytica—the political consultancy that collapsed into bankruptcy
in May after a
scandal about its nefarious information-collection methods—is
apparently metamorphosing. The company that Marc Zuckerberg admitted
targeted 87 million Facebook users’ data, and whose work could well
have influenced elections in the US and UK, may be currently
disgraced. But it also appears to be putting a new face on its same
old data-gathering gig. The Associated Press (AP) on
June 15 reported that top staffers from the fallen consultancy
are back on the job at a newly-formed company with a name that’s
eerily reminiscent of the last place they worked—Data Propria. As
the name implies, the new company is similarly preoccupied with
gathering information, specifically to target voters and consumers.
Basically, it’s the same mission that Cambridge Analytica had.
Matt Oczkowski—head of product at the predecessor firm—is leading
Data Propria, which also employs Cambridge Analytica’s former chief
data scientist, David Wilkinson, and others from the scandal-ridden
company…”

(Related) What does political awareness have in
common with digital savvyness?

“The politically aware, digitally savvy and
those more trusting of the news media fare better; Republicans and
Democrats both influenced by political appeal of statements In
today’s fast-paced and complex information environment, news
consumers must make rapid-fire judgments about how to internalize
news-related statements – statements that often come in snippets
and through pathways that provide little context. A new Pew
Research Center survey of 5,035 U.S. adults examines a basic step
in that process: whether members of the public can recognize news as
factual – something that’s capable of being proved or disproved
by objective evidence – or as an opinion that reflects the beliefs
and values of whoever expressed it. The findings from the survey,
conducted between Feb. 22 and March 8, 2018, reveal that even this
basic task presents a challenge. The main portion of the study,
which measured the public’s ability to distinguish between five
factual statements and five opinion statements, found that a majority
of Americans correctly identified at least three of the five
statements in each set. But this
result is only a little better than random guesses. Far
fewer Americans got all five correct, and roughly a quarter got most
or all wrong. Even more revealing is that certain Americans do far
better at parsing through this content than others. Those with high
political awareness, those
who are very digitally savvy and those who place high
levels of trust in the news media are better able than others to
accurately identify news-related statements as factual or opinion…”

On
Wednesday June 13, in the run-up to Mexico's July 1 presidential
election, a website operated by the rightist National Action Party
(PAN) was taken off-line for several hours by a DDoS attack. The
outage occurred at the time of a televised presidential debate, and
just following a point at which the PAN candidate held up a placard
with the website address claiming it held proof of potential
corruption.

… The
source of the DDoS attack is unknown and possibly unknowable – but
it is a reminder of the extent to which the internet can be used to
influence or even control public opinion.

The
accusations of Russian involvement in both the
Trump election in the U.S. and the UK Brexit referendum
are still fresh. Perhaps more directly relevant is the controversy
over the DDoS attack on the FCC website just as it was gathering
public comment on the (then) proposed elimination of the net
neutrality rules.

The
FCC claimed it had been taken
off-line by a DDoS attack. Critics of the FCC plans have
suggested it was purposely taken off-line to avoid registering mass
public dissent over the FCC rules. If the Mexico event was a direct
parallel to these claims, it could suggest that PAN couldn't prove
the criticisms it was making, and took down the website itself.

This
last possibility is not a serious proposal – but it illustrates the
plausible deniability and difficulty
of attribution that comes with cyber activity. The DDoS attack
could have been delivered by Russia (because it has a history of
interference); by AMLO (to prevent access to his competitor's
website); by the U.S. (because it would almost certainly prefer a
right-leaning to a left-leaning neighbor); or by PAN itself (as a
false flag). Or, of course, none of the above -- a straightforward
DDoS attack by cybercriminals.

The auditing work of one of the world's "Big
Four" accounting firms has been sharply criticised by the
industry's watchdog.

KPMG audits had shown an "unacceptable
deterioration" and will be subject to closer supervision, the
Financial Reporting Council said.

The FRC added all the Big Four - which also
include PwC, EY and Deloitte - needed to reverse a decline.

KPMG said it was "disappointed" and was
taking steps to improve audit quality.

… "There has been an unacceptable
deterioration in quality at one firm, KPMG," the FRC said in a
statement. "50% of KPMG's FTSE 350 audits required more than
just limited improvements, compared to 35% in the previous year."

… "They must address urgently several
factors that are vital to audit, including the level of challenge and
scepticism by auditors, in particular in their bank audits. We also
expect improvements in group audits and in the audit of pension
balances."

… KPMG came in for criticism over its audit of
collapsed construction firm Carillion earlier this year, and the FRC
has opened an investigation into the group under the Audit
Enforcement Procedure.

The auditor was also recently fined £3.2m by the
watchdog over its audit of insurance firm Quindell. Last year, the
FRC opened an investigation into KPMG's audit of the accounts of
aero-engine maker Rolls-Royce.

… the accounting industry has faced a lot of
criticism in the last few years over whether their verdicts on
companies' accounts can be trusted.

Banco de Chile, the second largest bank in the
country, released
a public statement confirming a major malware attack that breached
its computer systems on May 24, shutting down bank operations. The
hackers used a disk-wiping malware to cause the outage in order to
distract attention from their original target – the SWIFT money
transferring system.

… According
to the bank’s CEO Eduardo Ebensperger, $10 million were stolen and
linked to accounts based in Hong Kong.

“We found some strange transactions on the Swift
system, and that’s when we realized that the virus wasn’t all of
it, but fraud was being attempted,” he confirmed in an interview
last week (translation).

Why is this so common in Chicago? Has it been
like this since the time of Mrs. O’Leary’s cow?

If there is a Keystone Cops equivalent of a k-12
data breach, a recent incident involving Chicago Public Schools may
be a strong contender.

Last week, this site noted
a breach that seemed puzzling in its description. Since that
time, some informed parents have reached out to me to provide me with
more details about the incident.

It all started when Chicago Public Schools (CPS)
sent a letter to parents of students who were eligible to select
other schools for the 2018-2019 school year. The letter was intended
to instruct the parents how to review the schools that their child
was eligible for and how to indicate their choice.

Based on what was provided to DataBreaches.net by
Cassie Creswell, co-director of Raise Your Hand Action, a
Chicago-based public education advocacy group, it appears that
instead of the letter having an attachment, the letter (only)
contained a link to a file on Blackboard. That file contained 3,700
students’ and parents’ information. So every recipient who
clicked on the link in the email would have seen – and could have
downloaded – a file with thousands of students and parents’
information.

Why that
file should be up on Blackboard with absolutely no login required was
not explained by CPS in their breach notification letter.

The names are the student’s name, the phone
numbers and email are for the parent, and the reference code is the
child’s CPS student ID number, Creswell explained. The field
labeled “Building” contained a list of one or more types of
selective schools: AC, Regional Gifted Centers, Classical.

Frustratingly, it appeared that although CPS
fairly quickly realized that they had had a data breach, they didn’t
quite understand the nature of the breach. Initially, as their
notification letter suggested, they seemed to believe that parents
had actually received an attached file with 3,700 students’
information. Hence, they asked parents to basically “do the right
thing” and delete the attachment without looking at it.

But there was no attachment, and it took CPS more
than 4 hours to figure out that instead of asking parents to delete a
nonexistent attachment, they needed to remove the unsecured file from
Blackboard or otherwise lock it down.

So while CPS may have believed that they had
responded appropriately to the breach by asking parents to delete an
attached file, in actuality, the file remained where it had always
been – up on Blackboard. And any parents who hadn’t already
accessed that file when they first got an email from CPS might have
become curious and taken a look at the file in the more than 5 hours
it allegedly took CPS to actually secure the file.

To make matters even worse, there’s some
indication that this was not
the first time CPS had made this exact type of error.
DataBreaches.net was provided with a text copy of an email sent by
CPS on March 10, 2017 that contacted parents about selective
enrollment, and that supposedly contained an attachment, but actually
contained a link to a live file on Blackboard:

*File attachments:*
SEHS
Confirmation
Reminder.csv

This certainly appears to be the same scenario as
the recent breach, and DataBreaches.net has reached out to CPS to ask
them to confirm or deny whether this was the same kind of breach.

In a statement to DataBreaches.net, Creswell
summarized parental frustration and fears:

We are deeply concerned about yet another
improper sharing incident of student data in Chicago Public Schools.
The district’s response to being notified of the breach was
especially concerning because (1) it was clear that they initially
didn’t understand how the data had been shared (on the web vs as an
email attachment), and it took hours for them to disable the web
site. And (2) this is at least the second time that they’ve made
this exact mistake.

CPS has a $950K contract with Blackboard
Connect, but it seems that they haven’t received either the
training or the support needed to properly use this product, one
which interfaces with their own Student Information System.

This is just an error that’s come to
light publicly; what else is happening that the parents and the
public don’t even see?

As noted above, DataBreaches.net reached out to
CPS to ask them to confirm or deny that this was the second time that
parents had been given a link to a file on Blackboard instead of
being provided an attached form to complete. DataBreaches.net also
posed two additional questions to Tony Howard, Executive Director,
CPS Office of Access and Enrollment:

In terms of the current/most recent
incident: Who determined that a file should be uploaded to Blackboard
and made available without any login required? Was that an executive
decision or did some hapless employee just screw up or….?

and

Is someone going to reconfigure
connect.blackboard to require at least a password to access files on
it? I’m concerned that someone could have uploaded a spreadsheet
with hundreds of thousands of student names, IDs, and medical or SpEd
information or other sensitive info.

No response was immediately received, but that is
not surprising on a weekend and holiday. This post will be updated
if a reply is received.

So, now that we are free to react, how will they
react to our reaction?

Pentagon
Puts Cyberwarriors on the Offensive, Increasing the Risk of Conflict

The Pentagon has quietly empowered the United
States Cyber Command to take a far more aggressive approach to
defending the nation against cyberattacks, a shift in strategy that
could increase the risk of conflict with the foreign states that
sponsor malicious hacking groups.

Until now, the Cyber Command has assumed a largely
defensive posture, trying to counter attackers as they enter American
networks. In the relatively few instances when it has gone on the
offensive, particularly in trying to disrupt the online activities of
the Islamic State and its recruiters in the past several years, the
results have been mixed at best.

But in the spring, as the Pentagon elevated the
command’s status, it opened the door to nearly daily raids on
foreign networks, seeking to disable cyberweapons before they can be
unleashed, according to strategy documents and military and
intelligence officials.

… It is unclear how carefully the
administration has weighed the various risks involved if the plan is
acted on in classified operations. Adversaries like Russia, China
and North Korea, all nuclear-armed states, have been behind major
cyberattacks, and the United States has struggled with the question
of how to avoid an unforeseen escalation as it wields its growing
cyberarsenal.

Another complicating factor is that taking action
against an adversary often requires surreptitiously operating in the
networks of an ally, like Germany — a problem that often gave the
Obama administration pause.

Sounds fluffy to this old auditor. Are we going
to wait a year to find out if they have any impact?

Facebook
quietly made a huge concession to shareholders as it aims to avoid
another data disaster

… On Friday, Facebook quietly changed the name
of its audit committee — which is chaired by former White House
chief of staff Erskine Bowles — to the audit and risk oversight
committee.

The committee's responsibilities have also been
increased to encompass three major issues:

It will review
how Facebook "services
can be used to facilitate harm or undermine public safety or the
public interest."
This could be read as a reference to fake news and election
interference. [If that’s
what they meant, that what they would have said. Bob]

It will
investigate Facebook's "privacy
program"
following the Cambridge Analytica, in which the accounts of 87
million users were compromised.

Facebook's "cybersecurity
risk exposures"
will also be analysed by the committee.

Bowles' group of executives, which also include
Marc Andreessen, Kenneth Chenault, and Jeffrey Zients, will conduct
these reviews at least once
a year.

Law
Technology Today: “Legal analytics involves mining data
contained in case documents and docket entries, and then aggregating
that data to provide previously unknowable insights into the behavior
of the individuals (judges and lawyers), organizations (parties,
courts, law firms), and the subjects of lawsuits (such as patents)
that populate the litigation ecosystem. Litigators use legal
analytics to reveal trends and patterns in past litigation that
inform legal strategy and anticipate outcomes in current cases.
While every litigator learns how to conduct legal research in law
school, performs legal research on the job (or reviews research
conducted by associates or staff), and applies the fruits of legal
research to the facts of their cases, many may not yet have
encountered legal analytics. Data-driven insights from legal
analytics do not replace legal research or reasoning, or lawyers
themselves. They are a supplement, both prior to and during
litigation…”

A woman with late-stage breast cancer came to a
city hospital, fluids already flooding her lungs. She saw two
doctors and got a radiology scan. The hospital's computers read her
vital signs and estimated a 9.3 percent chance she would die during
her stay.

Then came Google's turn. A new type of algorithm
created by the company read up on the woman – 175,639 data points –
and rendered its assessment of her death risk: 19.9 percent. She
passed away in a matter of days. [So
the correct number was 100%? Bob]

The harrowing account of the unidentified woman's
death was published by Google in May in research highlighting the
health-care potential of neural networks, a form of artificial
intelligence software that's particularly good at using data to
automatically learn and improve. Google had created a tool that
could forecast a host of patient outcomes, including how long people
may stay in hospitals, their odds of re-admission and chances they
will soon die.

What impressed medical experts most was Google's
ability to sift through data previously out of reach: notes buried in
PDFs or scribbled on old charts. The neural net gobbled up all this
unruly information then spat out predictions. And it did it far
faster and more accurately than existing techniques. Google's system
even showed which records led it to conclusions.

It turns out that the project in Software
Architecture was rather timely after all. Perhaps Facebook will hire
some of my students to point out the errors in their system?

A million
Indians testing Whatsapp payments; what 's the feedback like?

Almost one million people in India are "testing"
WhatsApp's payments service, and the company is working with the
Indian government, NPCI
and multiple banks to further expand the feature to more users, a
company official said.

WhatsApp
payment service, which rivals the likes of Paytm, has been in
beta testing over the last few months.

… WhatsApp had received permission from NPCI
to tie up with banks to facilitate financial transactions via
Unified Payments Interface (UPI).

Paytm
founder Vijay Shekhar Sharma had earlier this year alleged that
WhatsApp's UPI payment platform has security risks for consumers and
is not in compliance with the guidelines.

The Reserve Bank of India has mandated all payment
system operators to ensure that data related to payments is stored
only in India giving firms six months to comply with it.

… WhatsApp had stated that sensitive user data
such as the last 6 digits of a debit card and UPI PIN is not stored
at all.

While it admitted to using the infrastructure of
Facebook
for the service, it asserted that the parent firm does not use
payment information for commercial purpose.

Google
places a $550 million bet on China's second-largest e-commerce player

… The two tech companies said they would work
together to develop retail infrastructure that can better personalize
the shopping experience and reduce friction in a number of markets,
including Southeast Asia.

For its part, JD.com said it planned to make a
selection of items available for sale in places like the U.S. and
Europe through Google Shopping — a service that lets users search
for products on e-commerce websites and compare prices between
different sellers.

… At the same time, JD.com also teamed up with
U.S. retail giant Walmart in the grocery business. Reports
said Walmart opened a small high-tech supermarket in China where
consumers can use smartphones to pay for items that are mostly
available on its virtual store on online platform JD Daojia, an
affiliate of JD.com.

This link could be handy since we no longer teach
our students how to use PowerPoint.

Flipgrid
has been acquired
by Microsoft. That's good news for the founders of Flipgrid and
great news for all of us who enjoy using Flipgrid. As of this
morning all Flipgrid features are now free for all users! If you are
a person who paid for a Flipgrid Pro account, you'll be getting a
prorated refund of your subscription.

Some of the features of Flipgrid that are now
available to all users include:

Unlimited grids!

More time limit options

Set a time limit between fifteen seconds
and five minutes.

Scheduled launch and freeze dates.

According to their statementFlipgrid will
continue to work and Chromebooks, iPads, iPhones, Android phones and
tablets, and in the web browser on your Windows or Mac computer.

If you haven't tried Flipgrid,
take a look at my video to see what it's all about.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.